As is known, Denial of Service (DoS) attacks focus on rendering a particular server element unavailable. This can be achieved by flooding the victims of the attack with a large amount of fake traffic in order to consume the server resources. The attacker plans to do Denial of Service in order to prevent system from normal work. Then, a legitimate access to the system could be prevented. Usually, an application server, like a Web and SIP server, faces the public, insecure, Internet. Then it is potential victim to Denial of Service.
Generally, even in an intranet scenario, the Web and SIP Server could be the target of large volume of traffic, generated, for example, by viruses or misconfigured clients. A SIP server creates a large number of potential opportunities of DoS attacks that must be recognized and addressed by the telecommunication operators in order to provide the continuity of the services.
Among the different DoS type attacks, the Application level attacks are the most difficult ones to be recognized.
In Next Generation Networks (NGNs), protocols as SIP, HTTP and Web Service are used heavily. NGN applications, and most of the added value services provided by telecommunication operators, are however liable to Application Level DoS.
Consider for example a SIP architecture including, among others, terminals such as IP (Internet Protocol)-phones, Proxy servers, and Registrar servers and using messages having fixed signaling methods, including INVITE and REGISTER categories.
Examples of DoS attacks in such a scenario, are:                INVITE-flood toward IP-Phones or SIP servers; and        REGISTER-flood toward Registrar servers.        
In general, a good solution for Denial of Service should comply with the following requirements:                the DoS detection mechanism should not be vulnerable by a DoS attacks too. For example, if the mechanism maintains a state (a table in memory), that table should be protected against being overloaded with fake entries;        the robustness of the detection mechanism should not be based on a secret algorithm (i.e. even if the attacker knows the detection algorithm, he/she cannot compromise the effectiveness of the detection).        
Numerous systems and methods of managing DoS attacks have been proposed.
A particular architecture, described in “Secure Telephony Enabled Middlebox including dedicated sensors” (http://seclab.cs.ucdavis.edu/papers/reynoldsMSthesis.pdf), hereinbelow also referred to as “Reynolds”, considers a flood attack of SIP INVITE.
Reynolds (see in particular chapter 5.4) considers that, under normal IP telephony, the number of initiated handshakes should be very close to the number of completed handshakes within fixed observation period and that a key characteristic of application layer DoS attack is that the handshaking process will not be completed. Therefore, if the difference between the number of initiated and completed handshakes suddenly becomes very large, it is strong indication that the system is under attack. The model used here defines the distribution of calls to different URIs (Uniform Resource Identifier). The detection of an attack within a single observation period is based upon the expected value of a normalized value Xn, calculated based on Δn/ Cn, wherein Δn is the number of established attempts minus the number of completed handshakes and Cn is the average number of connections. To ensure that short high volume attacks as well as longer low volume attacks are detected, the algorithm includes a cumulative sum component. If the cumulative sum component exceeds a pre-determined threshold value, the system is considered under attack.
“Detection of Denial-of-Service Flood Attacks Against SIP-based Network Infrastructure” (http://www. upperside.fr/sip2004/sip2004program.htm) proposes to use the imbalance between incoming INVITE and outgoing 180. It maintains fixed size “hit tables” that serves for tracking the number of full authentication cycles done, contains unique call-info (Call-ID or nonce) from outgoing 407 messages; new records replace randomly chosen existing ones. When an incoming INV-cr (i.e., INVITE with credential presented) is observed, this proposal searches the table with its call-info, counts a “hit” and deletes the record, if any.
US-A-2003/0226035 refers specifically to TCP (Transmission Control Protocol) services wherein a client wishing to make connection with a host sends a synchronization (SYN) signal to the host. This document discloses a method of detecting TCP SYN flooding attacks based on a counting arrangement in which, i.a., SYN packets are counted, weighting factors are applied to each count and an abnormal number of unsuccessful connection attempts is determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.
EP-A-1 392 037 describes a method and apparatus performing a frequency analysis on certain types of packets that arrive with periodic nature. A frequency power spectrum obtained through Fourier Transform reveals whether the power level of any particular frequency is greater than the average power spectrum. The detection of a higher than average power level is an indication that an attack is in progress.
US-A-2004/0037326 discloses a method for mitigating DoS attacks using frequency domain techniques to detect packet flooding in which a frequency spectrum reveals a periodic pattern to the attack packets. A pulse generator is used to create pulses having the frequency and phase of the periodic pattern. New packets arriving simultaneously with the created pulses are dropped from the system and packets which are not synchronized with the pulse generator are passed through the system normally.
U.S. Pat. No. 6,578,147 describes a system for detecting unauthorized signatures to or from a local network. Multiple sensors are connected at an internetworking device, which can be a router or a switch. The sensors operate in parallel and each receives a portion of traffic through the internetworking device, at a session-based level or at a lower (packet-based) level. Depending on the type of internetworking device (router or switch) the load balancing mechanism that distributes the packets can be internal or external to the internetworking device. Also depending on the level of packet distribution (session-based or packet-based), the sensors share a network analyzer (if session-based) or both a network analyzer and a session analyzer (if packet-based).
US-A-2004/986181 discloses a system for defending against a distributed DoS attack on active network by removing an agent and a master program for use in the distributed denial-of-service attack and isolating the attacker on the entire network.
US-A-2002/0095492 discloses a system for thwarting denial of service attacks on a victim data centre. The system includes a first plurality of monitors that monitor network traffic flow through the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. A gateway device passes network packets between the network and the victim site, is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.
US-A-2002/0038430 refers to a system for the collection, analysis, and distribution of cyber-threat alerts. The system collects cyber-threat intelligence data from a plurality of sources, and then preprocesses the intelligence data for further review by an intelligence analyst (human). The analyst reviews the intelligence data and determines whether it is appropriate for delivery to subscribing clients of the cyber-threat alert service. The system reformats and compiles the intelligence data and automatically delivers the intelligence data through a plurality of delivery methods.
US-A-2003/0084329 discloses a method of preventing intrusions on a node of a network comprising monitoring, by a first layer of an intrusion prevention system, application data of applications running at on the node, monitoring, by a second layer of the intrusion prevention system, transport layer data of the node, and monitoring, by a third layer of the intrusion prevention system, network layer data of the node is provided.
Applicant has noted that the above solutions are in general specific to a particular attack and are not able to manage a variety of situations, including:                message flooding originated by a malicious attacker (human being or a computer program);        client misconfiguration, wherein a huge number of useless (and annoying) messages are exchanged between the client and the server, for example when an automatic process generates an endless cycle of authentication messages, where each authentication requests is rejected due to the missing (or wrong) user credential; and        attacks toward the service logic coded in the application programs, for example when a malicious attacker generates a message in a manner to stress the parsing process performed by the server, thereby causing an abnormal resource consumption and, consequently, a DoS.        
Applicant has further noted that an intrusion detection system operating at the network or transport level is generally vulnerable to application-level DoS attacks as the application-level messages cannot be discerned by a detection system that operates at lower levels.
“SCIDIVE: A Stateful and Cross Protocol Intrusion Detection Architecture for Voice-over-IP Environments” (http://dynamo.ecn.purdue.edu/˜sbagchi/Research/Papers/Scidive_dsn04_cameraready.pdf) detects an Intrusion Detection System structured to detect different classes of intrusions. This prior system uses a Distiller, through which all incoming network traffic passes and which translates packets into protocol dependent information units called Footprints. The Footprints that belong to the same session are grouped into Trails. The Event Generator maps Footprints into Events which are matched by the Rule Matching Engine against a Ruleset. Here, the Event Generator is hard-coded, seamlessly coupled with internal structures, so as to correlate the information in footprints and concentrate the information into a single event; a sequence of events triggers a Ruleset.
Applicant has observed that matching of events against a Ruleset supposes that the classes of intrusion are known in advance, thereby limiting the flexibility of the detection system.